
Every modern software team has the same complaint: too many alerts, too little signal. Scanners flag tens of thousands of "vulnerabilities," most of which no attacker could ever reach. OX Security's entire pitch is subtraction - strip out the unreachable and the theoretical, and hand developers the roughly 5% of risks that are actually exploitable.
Founded in 2021 by two Check Point veterans, Neatsun Ziv and Lior Arzi, OX Security builds an Active Application Security Posture Management (ASPM) platform. In plain terms, it watches software from the first line of code all the way to the running cloud workload, pulls together the findings from every scanner along the way, and then ranks them by whether they matter in context. The company describes the goal as a single source of truth for application risk - one place where security and development teams can argue about priorities using the same map.
The origin is specific. Ziv and Arzi started the company in the aftermath of the 2020 SolarWinds attack, which showed the world that the software supply chain - the pipelines, dependencies and build systems behind an app - was the soft underbelly of enterprise security. Rather than build another scanner, they set out to build the connective tissue between all of them.
"OX focuses developers on the roughly 5% of risks that are truly exploitable, reachable and impactful."
— OX Security, on its prioritization thesisOX maps risk end to end - source control, open-source dependencies, CI/CD pipelines, secrets, registries and cloud - then contextualizes and automates the response instead of just aggregating scan output.
Primarily enterprises in finance and technology. Over 200 customers, with reported names including fintech firms such as eToro and Sofi. The buyer is usually an AppSec or platform-security leader.
AI now writes code faster than humans can review it. Traditional tools bury teams in findings. OX's reachability analysis separates what an attacker could actually exploit from what's merely theoretical.
Anyone can surface 10,000 issues. OX's differentiator is telling you which few hundred are reachable and impactful - powered by PBOM lineage and Attack Path Reachability Analysis.
OX sells its platform as a B2B SaaS subscription to enterprise security teams, available directly and through cloud marketplaces such as AWS Marketplace. By 2025 the company reported crossing roughly $10M in annual recurring revenue.
The ASPM category it plays in is busy. Competitors include Apiiro - a Gartner Magic Quadrant leader known for its risk graph - along with Cycode, Snyk, Checkmarx and ArmorCode. Each stakes out slightly different ground: Cycode leans into source-control governance and pipeline integrity, Apiiro on prioritization maturity. OX's wager is that reachability and code-to-cloud lineage, packaged as "Active" ASPM, is the wedge that matters as AI-generated code multiplies the attack surface.
That the founders open-sourced their own threat model - the OSC&R framework - is telling. Rather than hoard the map of supply chain attacks, OX helped write a shared one, betting that a more literate market ultimately favors the company that helped teach it.
"The founders recognized a security gap following the SolarWinds attack, and set out to redefine application security."
— On the company's foundingNeatsun Ziv and Lior Arzi, both Check Point veterans, launch OX after the SolarWinds supply chain attack.
A seed round led by Evolution Equity and Team8 funds the launch of Pipeline Bill of Materials technology.
OX co-creates the open supply chain attack matrix and takes strategic investment from IBM Ventures.
OX ships reachability analysis to prioritize exploitable vulnerabilities and cut false positives.
DTCP leads a $60M round; OX launches VibeSec and repositions around Active ASPM for AI-era development.
Named "Application Security Company of the Year" in the CyberSecurity Breakthrough Awards, and a recognized name across the ASPM and software supply chain security market.
Search founder interviews on AI-era application security.
Product walkthroughs of the OX Active ASPM platform.
How OX approaches supply chain provenance and attacks.
Joint session on software supply chain security.
OX Security provides an Active Application Security Posture Management (ASPM) platform that maps software risk from code to cloud, consolidates security scanning, and prioritizes the vulnerabilities that are actually exploitable and reachable.
It was founded in 2021 by Neatsun Ziv (Co-Founder & CEO) and Lior Arzi (Co-Founder & CPO), both veterans of Check Point Software Technologies.
OX has raised roughly $94-101M in total, including a $34M seed in 2022 and a $60M Series B in May 2025 led by DTCP, with IBM and Microsoft participating.
Main competitors in the ASPM and software supply chain security space include Apiiro, Cycode, Snyk, Checkmarx and ArmorCode.
PBOM (Pipeline Bill of Materials) is OX's technology for tracking software lineage from commit to deployment. OSC&R is an open, ATT&CK-style framework OX co-created to map software supply chain attacks.